Monday, May 28, 2001 Silent delivery and installation of an executable on a target computer. This can be accomplished with the default installation of the mail client Eudora 5.1: 'allow executables in HTML content' DISABLED 'use Microsoft viewer' ENABLED The manufacturer http://www.eudora.com has done a tremendous job of shutting down all possibilities of scripting and all other necessaries to achieve the following result. See: http://www.securityfocus.com/bid/2490 However there still remains a number of good possibilities. One of which is the following that we find to be quite interesting. 1. Using the POWAH! of Internet Explorer, we create yet another HTML mail message as follows: <FORM action="cid:master.malware.com" method=post target=new><button type=submit style="width:130pt;height:20pt;cursor:hand;background-color:transparent;border:0pt"><font color=#0000ff><u>http://www.malware.com></font></button> </FORM> <img SRC="cid:master.malware.com" height=1 width=1><img SRC="cid:http://www.malware.com" height=1 width=1> Where our first image is our executable. Our second image comprises a simple JavaScripting and ActiveX control. What happens is, once the mail message is opened in Eudora 5.1, the two 'embedded' images are silently and instantly transferred to the 'Embedded' folder. What we then do is create a simple html form and button. Owing to the POWAH! of Internet Explorer, we are able to create this button with a transparent background. In addition, we are able to dispose of the border of this button, which combined with the transparent background gives us nothing. That is, we have a fully functional form and button but we are not able to see it. We then create a fake link and incorporate that into our invisible button. We then embed our simple JavaScripting and ActiveX control into our invisible button and fire it off to our target computer: before click (screen shot: http://www.malware.com/heydora.jpg 62KB) after click: (screen shot: http://www.malware.com/hey!dora.jpg 62KB) The recipient is then lulled into clicking on the "link". What that does is pull our html file comprising our simple JavaScripting and ActiveX control out of the embedded folder and into a new Internet Explorer Window. Because our *.exe and our simple JavaScripting and ActiveX control reside in the same folder [the so-called "Embedded' folder], and because it is automatically opened in our new Internet Explorer Window, everything is instant. No warnings. No nothing. The *.exe is executed instantly. 2. Working Example. Harmless *.exe. incorporated. Tested on win98, with IE5.5 (all of its patches and so-called service packs), default Eudora 5.1 with 'use Microsoft viewer' ENABLED and 'allow executables in HTML content' DISABLED. The following is in plaintext. We are unable to figure out how to import a single message into Eudora's inbox. Perhaps some bright spark knows. Otherwise, incorporate the text sample into a telnet session or other and fire off to your Eudora inbox: http://www.malware.com/hey!DORA.txt Notes: disable 'use Microsoft viewer' --- http://www.malware.com _______________________________________________________ Send a cool gift with your E-Card http://www.bluemountain.com/giftcenter/
This archive was generated by hypermail 2b30 : Tue May 29 2001 - 00:47:32 PDT
